My Rest API is protected using Oauth2. My main client is a native app.
it's working great but there are certain calls to the API that i want to make sure that are performed from my client - meaning that if the user obtained the access token - he will not be able to use curl in order to call my Rest api.
For example if i have a Rest api for Achievement unlocking, how can i make sure that an authenticated user will not be able to call this rest api in order to unlock the achivment?
Solutions that i thought of:
- Sign the request with a special header - But i think that it's breakable
Aucun commentaire:
Enregistrer un commentaire